CVE-2026-20805

What is Windows Desktop Window Manager?

Windows Desktop Window Manager (DWM, dwm.exe) is the core compositor process in Windows, responsible for rendering the visual desktop — windows, animations, translucency effects, and all on-screen graphics. DWM runs as a privileged system process and interacts closely with kernel-level graphics and user session management structures, including Windows' ALPC (Advanced Local Procedure Call) communication mechanisms. Address leaks from DWM are particularly valuable to attackers because DWM holds references to kernel and system memory, making any leaked addresses useful for defeating ASLR (Address Space Layout Randomization).

Overview

CVE-2026-20805 is an information disclosure vulnerability (CWE-200) in Windows Desktop Window Manager. DWM exposes a section address from a remote ALPC port residing in user-mode memory — a leak that allows a locally authenticated attacker to read kernel or high-privilege process memory addresses. By defeating ASLR, this vulnerability serves as a critical precursor primitive: attackers chain it with a separate code execution or privilege escalation vulnerability to obtain reliable memory layout information, enabling precise memory corruption that would otherwise fail unpredictably. It was exploited as a zero-day in January 2026 and patched in Patch Tuesday.

Affected Versions

Technical Details

The vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) is in how DWM handles memory references exposed via ALPC (Advanced Local Procedure Call) ports. Specifically, DWM exposes a section (memory mapping) address from a remote ALPC port that resides in user-mode accessible memory. A locally authenticated standard user can read this address.

The value of this leak lies in defeating ASLR: Windows ASLR randomizes the base addresses of modules and memory regions at boot time, making it impossible for an attacker to predict where specific code or data will be in memory. An information leak that reveals even one kernel or system-level memory address allows an attacker to calculate the base address offsets for related modules, turning a memory corruption bug that might crash unpredictably into a reliable exploit with a known target address. ALPC section address leaks from privileged processes like DWM are classic ASLR-defeat primitives used in Windows exploit chains.

Discovery

Credited to Microsoft's internal security teams. No external researcher is identified in the advisory.

Exploitation Context

Confirmed zero-day exploitation in the wild at the time of the January 2026 Patch Tuesday disclosure. CISA added it to the KEV catalog on the same day. No specific threat actor has been publicly attributed. The "Medium" CVSS score (5.5) and information-disclosure-only classification understates the practical danger: in chained exploits, an ASLR-defeat leak is often the prerequisite that makes a higher-severity code execution or LPE vulnerability reliable and deployable. Microsoft's Patch Tuesday for January 2026 addressed 113 CVEs total — the largest Patch Tuesday in recent memory — and this zero-day was among the most notable.

Remediation

1. Apply the January 2026 Patch Tuesday cumulative update to all affected Windows systems immediately.
2. Do not deprioritize this fix based on the medium CVSS score — information disclosure vulnerabilities that defeat ASLR are frequently the enabling link in multi-stage exploit chains.
3. Enable Windows Defender Exploit Guard features (mandatory ASLR, SEHOP) on workstations and servers via Group Policy or Intune — these further increase exploitation complexity even for attackers who obtain address leaks.
4. Monitor for unusual ALPC-related activity from low-privilege processes accessing DWM ALPC ports.
5. Apply defense in depth: patch all co-disclosed January 2026 CVEs promptly, as attackers may chain this information disclosure with other January Patch Tuesday vulnerabilities.